Loading ...
Sorry, an error occurred while loading the content.

Re: rng-tools bugs in slugos/BE-4.8-beta

Expand Messages
  • Jimmy C. Chau
    I ve been investigating this some more (this time with SlugOSBE-5.3-beta) and it seems like there isn t a hardware random number generator. There isn t any
    Message 1 of 3 , Nov 19, 2011
    • 0 Attachment
      I've been investigating this some more (this time with SlugOSBE-5.3-beta) and it seems like there isn't a hardware random number generator.  There isn't any mention of one in the datasheet that I could find for the IPX422 <http://www.alldatasheet.com/datasheet-pdf/pdf/168291/INTEL/FWIXP422BB.html>.  And if I try to read it, I get nothing even after waiting several minutes (I do get something from it initially, but subsequent reads yield nothing, even a long while later). 

      Worse, the initial junk isn't random:
      # dd if=/dev/hwrng bs=2500 count=10 | rngtest -t 1
      rngtest 2
      Copyright (c) 2004 by Henrique de Moraes Holschuh
      This is free software; see the source for copying conditions.  There is NO warranty; not even for MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE.

      rngtest: starting FIPS tests...
      10+0 records in
      10+0 records out
      rngtest: entropy source drained
      rngtest: bits received from input: 200000
      rngtest: FIPS 140-2 successes: 0
      rngtest: FIPS 140-2 failures: 9
      rngtest: FIPS 140-2(2001-10-10) Monobit: 9
      rngtest: FIPS 140-2(2001-10-10) Poker: 9
      rngtest: FIPS 140-2(2001-10-10) Runs: 9
      rngtest: FIPS 140-2(2001-10-10) Long run: 0
      rngtest: FIPS 140-2(2001-10-10) Continuous run: 9
      rngtest: input channel speed: (min=1.220; avg=5.779; max=389.255)Mibits/s
      rngtest: FIPS tests speed: (min=4.023; avg=4.344; max=4.424)Mibits/s
      rngtest: Program run time: 88048 microseconds
      On the latest attempt, if I try to run rngd with it,
      # rngd -f -o /tmp/randomSample -r /dev/hwrng
      failed fips test

      failed fips test

      failed fips test

      failed fips test
      This continues for a while, and when this initial junk runs out
      failed fips test

      failed fips test

      failed fips test

      Segmentation fault

      I've tried this across a few reboots and power-downs, and the results appear to be consistent.  From this, I'm concluding that without additional hardware, rng-tools (rngd) can't really add anything useful to the entropy pool.  I'm also concluding that despite the presence of /dev/hwrng, no *working* hardware random number generator exists on the Linksys NSLU2. 

      So to reply to my old email (below), without additional hardware, I was just sacrificing precious memory by running rngd. 

      -Jimmy

      On 04/20/08 19:28, Jimmy C. Chau wrote: I am using SlugOS/BE-4.8-beta.  I have noticed that /etc/init.d/rng-tools has an error that prevents rngd from starting: rngd is set to /usr/local/sbin/rngd instead of /usr/sbin/rngd, where it actually is.  I have corrected that on my NSLU2, but then I noticed that /dev/hwrandom did not exist; the closest match was /dev/hwrng, so I added the option "-r /dev/hwrng" to the init file.

      Now everything appears to work okay.  My remaining issues are whether the IXP422 actually has a random number generator; where does /dev/hwrng lead?  Am I improving my entropy pool by running rngd (or am I foolishly sacrificing precious memory)?  Can someone who knows more about the NSLU2 please enlighten me about this?  Thanks in advance. 

      Below is some more information.

      -Jimmy C. Chau
      <jchau@...>

      Here is the output from "ipkg info rng-tools"
      Package: rng-tools
      Version: 2-1
      Depends: update-rc.d, libgcc1 (>= 4.1.2), libc6 (>= 2.5)
      Status: install ok installed
      Section: base
      Architecture: armv5teb
      Maintainer: OpenEmbedded Team <openembedded-devel@...>
      MD5Sum: d3d0f6341a38d64ae4404a7196eedca3
      Filename: rng-tools_2-1_armv5teb.ipk
      Source: http://heanet.dl.sourceforge.net/sourceforge/gkernel/rng-tools-2.tar.gz file://init
      Description: Random number generator daemon

      Here is my modified /etc/init.d/rng-tools:
      #! /bin/sh
      #
      # This is an init script for openembedded
      # Copy it to /etc/init.d/rng-tools and type
      # > update-rc.d rng-tools defaults 60
      #

      # Modified by Jimmy C. Chau <jchau@...> 2008 Apr 20

      # The following line was edited from 'rngd=/usr/local/sbin/rngd'
      rngd=/usr/sbin/rngd
      test -x "$rngd" || exit 1

      rngd_options="-r /dev/hwrng"

      case "$1" in
        start)
          echo -n "Starting random number generator daemon"
          start-stop-daemon --start --quiet --exec $rngd -- $rngd_options
          echo "."
          ;;
        stop)
          echo -n "Stopping random number generator daemon"
          start-stop-daemon --stop --quiet -n rngd
          echo "."
          ;;
        reload|force-reload)
          echo -n "Signalling rng daemon restart"
          start-stop-daemon --stop --quiet --signal 1 --exec $rngd
          start-stop-daemon --stop --quiet --signal 1 --exec $rngd
          ;;
        restart)
          echo -n "Stopping random number generator daemon"
          start-stop-daemon --stop --quiet -n rngd
          echo "."
          echo -n "Starting random number generator daemon"
          start-stop-daemon --start --quiet --exec $rngd -- $rngd_options
          echo "."
          ;;
        *)
          echo "Usage: /etc/init.d/rng-tools {start|stop|reload|restart|force-reload}"
          exit 1
      esac


    • Mike Westerhof (mwester)
      ... The IXP420 in the NSLU2 lacks the encryption unit, which is what provides the hardware random numbers. -Mike (mwester)
      Message 2 of 3 , Nov 19, 2011
      • 0 Attachment
        On 11/19/2011 3:39 AM, Jimmy C. Chau wrote:
        >
        > I've been investigating this some more (this time with
        > SlugOSBE-5.3-beta) and it seems like there isn't a hardware random
        > number generator. There isn't any mention of one in the datasheet that
        > I could find for the IPX422
        > <http://www.alldatasheet.com/datasheet-pdf/pdf/168291/INTEL/FWIXP422BB.html>.
        > And if I try to read it, I get nothing even after waiting several
        > minutes (I do get something from it initially, but subsequent reads
        > yield nothing, even a long while later).

        The IXP420 in the NSLU2 lacks the encryption unit, which is what
        provides the hardware random numbers.

        -Mike (mwester)
      Your message has been successfully submitted and would be delivered to recipients shortly.